SOFTWARE DEVELOPER Google has thrown down the gauntlet to white-hat hackers by offering up to $60,000 to anyone who can engineer a fully functional exploit that punches a security hole in its Chrome web browser.
The search giant has once again chosen the Cansecwest security conference to announce the competition, noting that developing a fully functional exploit is "significantly more work" than finding and reporting a potential security bug.
Posting on the Google Chrome Security Blog, Chris Evans and Justin Schuh from the Google Chrome Security Team explained that the aim of the sponsorship is simple. They said, "We have a big learning opportunity when we receive full end-to-end exploits. Not only can we fix the bugs, but by studying the vulnerability and exploit techniques we can enhance our mitigations, automated testing, and sandboxing. This enables us to better protect our users."
Somewhat perversely, the team added that the fact that Chrome is not receiving exploits means that it is actually harder to improve the platform. So to address this and maximise the chances of receiving exploits this year, the search company has dug deep to put up a cool $1 million worth of rewards. The top individual prize of $60,000 will be paid for a full Chrome exploit using only bugs in Chrome to deliver Windows 7 local OS user account persistence.
$40,000 is up for grabs for a partial Chrome exploit based on at least one bug in Chrome itself, plus other bugs. For example, a Webkit bug combined with a Windows sandbox bug.
Moving down the scale, Google will cough up a $20,000 "Consolation reward" for an exploit that does not actually use bugs in Chrome. For example, bugs in one or more of Flash, Windows or a driver.
All winners will also receive a Chromebook.
"We will issue multiple rewards per category, up to the $1 million limit, on a first-come-first served basis. There is no splitting of winnings or 'winner takes all'. We require each set of exploit bugs to be reliable, fully functional end to end, disjoint, of critical impact, present in the latest versions and genuinely '0-day', i.e. not known to us or previously shared with third parties. Contestant's exploits must be submitted to and judged by Google before being submitted anywhere else," the company explained. µ
Sign up for INQbot – a weekly roundup of the best from the INQ